dissect.target 3.19.dev24__py3-none-any.whl → 3.19.dev25__py3-none-any.whl

dissect/target/plugins/filesystem/ntfs/mft.py

@@ -1,9 +1,10 @@
 import logging
-from typing import Callable
+from typing import Callable, Iterator
 
 from dissect.ntfs.attr import Attribute
 from dissect.ntfs.c_ntfs import FILE_RECORD_SEGMENT_IN_USE
 from dissect.ntfs.mft import MftRecord
+from flow.record import Record
 from flow.record.fieldtypes import windows_path
 
 from dissect.target.exceptions import UnsupportedPluginError
@@ -53,7 +54,6 @@ FilesystemStdRecord = TargetRecordDescriptor(
     ],
 )
 
-
 FilesystemFilenameCompactRecord = TargetRecordDescriptor(
     "filesystem/ntfs/mft/filename/compact",
     [
@@ -90,6 +90,21 @@ FilesystemFilenameRecord = TargetRecordDescriptor(
     ],
 )
 
+FilesystemMACBRecord = TargetRecordDescriptor(
+    "filesystem/ntfs/mft/macb",
+    [
+        ("datetime", "ts"),
+        ("string", "macb"),
+        ("uint32", "filename_index"),
+        ("uint32", "segment"),
+        ("path", "path"),
+        ("string", "owner"),
+        ("filesize", "filesize"),
+        ("boolean", "resident"),
+        ("boolean", "inuse"),
+        ("string", "volume_uuid"),
+    ],
+)
 
 RECORD_TYPES = {
     InformationType.STANDARD_INFORMATION: FilesystemStdRecord,
@@ -118,7 +133,12 @@ class MftPlugin(Plugin):
         ]
     )
     @arg("--compact", action="store_true", help="compacts the MFT entry timestamps into a single record")
-    def mft(self, compact: bool = False):
+    @arg(
+        "--macb",
+        action="store_true",
+        help="compacts the MFT entry timestamps into aggregated records with MACB bitfield",
+    )
+    def mft(self, compact: bool = False, macb: bool = False):
         """Return the MFT records of all NTFS filesystems.
 
         The Master File Table (MFT) contains primarily metadata about every file and folder on a NFTS filesystem.
@@ -133,10 +153,19 @@ class MftPlugin(Plugin):
             - https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table
         """
 
-        if compact:
+        record_formatter = formatter
+
+        def noaggr(records: list[Record]) -> Iterator[Record]:
+            yield from records
+
+        aggr = noaggr
+
+        if compact and macb:
+            raise ValueError("--macb and --compact are mutually exclusive")
+        elif compact:
             record_formatter = compacted_formatter
-        else:
-            record_formatter = formatter
+        elif macb:
+            aggr = macb_aggr
 
         for fs in self.target.filesystems:
             if fs.__type__ != "ntfs":
@@ -167,17 +196,19 @@ class MftPlugin(Plugin):
 
                         for path in record.full_paths():
                             path = f"{drive_letter}{path}"
-                            yield from self.mft_records(
-                                drive_letter=drive_letter,
-                                record=record,
-                                segment=record.segment,
-                                path=path,
-                                owner=owner,
-                                size=size,
-                                resident=resident,
-                                inuse=inuse,
-                                volume_uuid=volume_uuid,
-                                record_formatter=record_formatter,
+                            yield from aggr(
+                                self.mft_records(
+                                    drive_letter=drive_letter,
+                                    record=record,
+                                    segment=record.segment,
+                                    path=path,
+                                    owner=owner,
+                                    size=size,
+                                    resident=resident,
+                                    inuse=inuse,
+                                    volume_uuid=volume_uuid,
+                                    record_formatter=record_formatter,
+                                )
                             )
                     except Exception as e:
                         self.target.log.warning("An error occured parsing MFT segment %d: %s", record.segment, str(e))
@@ -275,3 +306,33 @@ def formatter(attr: Attribute, record_type: InformationType, **kwargs):
         ("A", attr.last_access_time),
     ]:
         yield record_desc(ts=timestamp, ts_type=type, **kwargs)
+
+
+def macb_aggr(records: list[Record]) -> Iterator[Record]:
+    def macb_set(bitfield, index, letter):
+        return bitfield[:index] + letter + bitfield[index + 1 :]
+
+    macbs = []
+    for record in records:
+        found = False
+
+        offset_std = int(record._desc.name == "filesystem/ntfs/mft/std") * 5
+        offset_ads = (int(record.ads) * 10) if offset_std == 0 else 0
+
+        field = "MACB".find(record.ts_type) + offset_std + offset_ads
+        for macb in macbs:
+            if macb.ts == record.ts:
+                macb.macb = macb_set(macb.macb, field, record.ts_type)
+                found = True
+                break
+
+        if found:
+            continue
+
+        macb = FilesystemMACBRecord.init_from_record(record)
+        macb.macb = "..../..../...."
+        macb.macb = macb_set(macb.macb, field, record.ts_type)
+
+        macbs.append(macb)
+
+    yield from macbs

{dissect.target-3.19.dev24.dist-info → dissect.target-3.19.dev25.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.19.dev24
+Version: 3.19.dev25
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.19.dev24.dist-info → dissect.target-3.19.dev25.dist-info}/RECORD

@@ -166,7 +166,7 @@ dissect/target/plugins/filesystem/resolver.py,sha256=HfyASUFV4F9uD-yFXilFpPTORAs
 dissect/target/plugins/filesystem/walkfs.py,sha256=e8HEZcV5Wiua26FGWL3xgiQ_PIhcNvGI5KCdsAx2Nmo,2298
 dissect/target/plugins/filesystem/yara.py,sha256=JdWqbqDBhKrht3fTroqX7NpBU9khEQUWyMcDgLv2l2g,6686
 dissect/target/plugins/filesystem/ntfs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/filesystem/ntfs/mft.py,sha256=AD3w2FIjDAf8x2KEbBhz2NeOA_lxIAmw353w6J3ObYU,9565
+dissect/target/plugins/filesystem/ntfs/mft.py,sha256=2ibCLJA7yUrZshFSPKdjoNt3TpfwTtk-DaErghe91CM,11445
 dissect/target/plugins/filesystem/ntfs/mft_timeline.py,sha256=vvNFAZbr7s3X2OTYf4ES_L6-XsouTXcTymfxnHfZ1Rw,6791
 dissect/target/plugins/filesystem/ntfs/usnjrnl.py,sha256=uiT1ipmcAo__6VIUi8R_vvIu22vdnjMACKwLSAbzYjs,3704
 dissect/target/plugins/filesystem/ntfs/utils.py,sha256=xG7Lgw9NX4tDDrZVRm0vycFVJTOM7j-HrjqzDh0f4uA,3136
@@ -346,10 +346,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.19.dev24.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.19.dev24.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.19.dev24.dist-info/METADATA,sha256=svE2PfocnTmkG0NldymfR4W2rf2I-Jg2pfXkN_O-cvw,12719
-dissect.target-3.19.dev24.dist-info/WHEEL,sha256=R0nc6qTxuoLk7ShA2_Y-UWkN8ZdfDBG2B6Eqpz2WXbs,91
-dissect.target-3.19.dev24.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.19.dev24.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.19.dev24.dist-info/RECORD,,
+dissect.target-3.19.dev25.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.19.dev25.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.19.dev25.dist-info/METADATA,sha256=7Zg79geLIProzjOZaFpDxr0Zfurfq0EgleNkmo8sI5E,12719
+dissect.target-3.19.dev25.dist-info/WHEEL,sha256=R0nc6qTxuoLk7ShA2_Y-UWkN8ZdfDBG2B6Eqpz2WXbs,91
+dissect.target-3.19.dev25.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.19.dev25.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.19.dev25.dist-info/RECORD,,